update policies on 2023/07/12 (#10)

README.md

@@ -8,7 +8,7 @@ _Since these are our internal policies, some links to internal documents or reso
 
 This repository is the source of truth for the policies available at https://tailscale.com/security-policies/.
 
-These policies were last reviewed on 2023-04-03.
+These policies were last reviewed on 2023-07-12.
 
 ### FAQ
 

change-management/index.md

@@ -14,7 +14,7 @@ To avoid potential security incidents, Tailscale requires change management cont
 
 Changes to code in Tailscale’s environment made by an employee or contractor must be tested and approved by another employee prior to being merged and rolled out.
 
-Tailscale uses branch protection rules on GitHub to require a second review prior to merging code.
+Tailscale uses branch protection rules on GitHub to require changes be made through a pull request with a second review prior to merging code.
 
 Exceptionally, employees can push changes without a second review where they are required to mitigate an incident. Changes pushed without prior approval are tagged and audited after the fact, within 2 business days.
 

information-classification/index.md

@@ -39,7 +39,6 @@ Tailscale classifies assets into three risk categories: **Low Risk**, **Medium R
    </td>
    <td>
 <ul>
-
 <li><strong>Data</strong>: protection is mandated by confidentiality agreements, labor codes, specific laws and regulations (e.g. PCI DSS, HIPAA, GDPR), or data is subject to breach reporting requirements, or disclosure would have a significant adverse impact on Tailscale (e.g., user accounts database).
 
 <li><strong>Hardware and software systems</strong>: compromise would have a significant adverse impact on Tailscale (e.g. the login.tailscale.com control plane service).
@@ -52,7 +51,6 @@ Tailscale classifies assets into three risk categories: **Low Risk**, **Medium R
    </td>
    <td>
 <ul>
-
 <li><strong>Data</strong>: not generally available to the public, and disclosure would have some adverse impact on Tailscale (e.g. internal engineering documentation).
 
 <li><strong>Hardware and software systems</strong>: compromise would have some adverse impact on Tailscale (e.g. cloud VM running production monitoring system).
@@ -65,7 +63,6 @@ Tailscale classifies assets into three risk categories: **Low Risk**, **Medium R
    </td>
    <td>
 <ul>
-
 <li><strong>Data</strong>: publicly available, or disclosure would have no adverse operational or financial impact on Tailscale (e.g. tailscale.com website source code). May still have some limited reputational impact.
 
 <li><strong>Hardware and software systems</strong>: compromise would have no adverse impact on Tailscale (e.g. testbed cloud VM with no user data or privileged access).

overview.md

@@ -1,5 +1,5 @@
 ### Security policy ownership
-All security policies are owned by the Chief Operating Officer (COO). The Security Review Team (members in Engineering, Product and Operations) are responsible for reviewing the policies.
+All security policies are owned by the Chief Operating Officer (COO). The Security Review Team (members in Security, Engineering, and Operations) are responsible for reviewing the policies.
 
 The Chief Operating Officer and the Security Review Team are responsible for implementing the processes and controls laid out in the security policies, and pulling in other employees as needed.
 

personnel/index.md

@@ -15,4 +15,4 @@ As part of its hiring process, Tailscale does not perform criminal background ch
 All employees must complete Tailscale’s information security awareness training as part of their initial onboarding and thereafter, while still under contract, on an annual basis.
 
 ### Performance Reviews
-All full time employees must complete a biannual Performance Review, the results of which are signed and dated by both the employee and their manager, and uploaded to the employee’s personnel files in the HR system.
+All full time employees must complete an annual Performance Review, the results of which are signed and dated by both the employee and their manager, and uploaded to the employee’s personnel files in the HR system.